Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2e3b5a0a753823a…

MALICIOUS

PDF

42.7 KB Created: 2020-08-30 23:24:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 50641b35f1c2530e3073a2f0666f8409 SHA-1: 5a5c2c093bcbf43b808cfa80e01ac8ca83660829 SHA-256: c2e3b5a0a753823acef5736622e71646ced8be7ec5d4fe4c3db4029c14d67074
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.me/wix?keyword=Kostenlose+online-pdf+zu+epub+Konver'. Additionally, it features a PDF link farm heuristic, indicating an attempt to mass-distribute links, with the first URL being 'https://cdn.shopify.com/s/files/1/0429/9961/1553/files/asimov_s_guide_to_the_bible.pdf'. The document body contains garbled text but includes the malicious redirector URL. The presence of these elements strongly suggests a phishing or malware distribution attempt.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.me/wix?keyword=Kostenlose+online-pdf+zu+epub+Konver
    • https://cdn.shopify.com/s/files/1/0429/9961/1553/files/asimov_s_guide_to_the_bible.pdf
    • https://cdn.shopify.com/s/files/1/0431/8507/8423/files/2827918267.pdf
    • https://cdn.shopify.com/s/files/1/0432/6191/9396/files/english_small_alphabet_writing_in_four_lines.pdf
    • https://cdn.shopify.com/s/files/1/0435/4038/1855/files/zavopeke.pdf
    • https://cdn.shopify.com/s/files/1/0431/7921/2959/files/62777161940.pdf
    • https://cdn.shopify.com/s/files/1/0439/2330/8712/files/wowifomageguzujepud.pdf
    • https://cdn.shopify.com/s/files/1/0434/8795/3053/files/sugarewowefapamokaveli.pdf
    • https://static.usrfiles.com/ugd/b8c837_a05a740ae8084971922c5bc4ebafd620.pdf
    • https://static.usrfiles.com/ugd/67e251_4f7bf54c45904464ba45bc12b9f74951.pdf
    • https://static.usrfiles.com/ugd/b8c837_24f40ae37c9043b6b7bc1a45d3cb2a28.pdf
    • https://cdn.shopify.com/s/files/1/0431/4886/9786/files/denuvojugokafarujas.pdf
    • https://cdn.shopify.com/s/files/1/0435/5411/1656/files/zubijufozekew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006559.bin
4b1781a864825d1d7dcc0a71079ee6af237d16a453692daba7f72dcd45500829		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6559 5076 bytes
font_01_sfnt_off000076bf.bin
72e0e48551626613bec25efb3afbb34cd325320b31796958ed782c077b2a4a30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76BF 11616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.